Greetings, On Sat, Jun 29, 2013 at 10:55 AM, Arun Khan <[email protected]> wrote: > > I would add lack of time.
++1 I am sorry I missed out this. BTW, I tend to believe that people do not have priority rather than time, most often. Blame it on my impression that this list is heavily populated by developers rather than Admins like the Centos List > > I recall, that a default install of apache on CentOS would not work > with SELinux set to enforce. One had to set it to "permissive." > This might have been fixed in the latest incarnates. > The last Centos install I did asked for the mode and default is enforcing and things work pretty well out of the box. > > Do you have any data to back this up? > Not much but one data point at least. I cannot reveal names, I know of at least one incident where a fairly good linux administrator (in India) was forced into, lo and behold!, a windows desktop support engineer as an escape route for fiddling with SELinux and firewall settings and the customer could not access to test the app from across the ponds. > To the best of my knowledge SELinux is installed and ON (default IIRC) > only in Redhat and derivative distros. Indeed. > > SELinux is non trivial. +1 > If you have domain knowledge (beyond n00b+) > in the area, please help Dhana Sekar. Additionally, please blog it > with use case scenarios. > I have sorted out SELinux related issues in the past, but have not documented it. Gotta pick my brains for the details. To begin with, I would suggest one should install setroubleshoot app and watch closely what it says and understand... kinda reverse engineer. That approach would slightly make learning easier. As of Centos 6, I can vouch that the out of box stuff works as advertised with SELinux in enforcing mode. The stuff starts when people, say, copy PHP/java app tree of "hot new" in the /var/www/html and expect it to run and then complain. Actually I was thinking sharing my experiences using the story-telling technique (kinda from-the-trench-war-time memoirs) very soon. That perhaps would also help partially answer the query earlier in this list "how to troubleshoot". I was away from core tech for last few months and was caught up in the IS audit and the such. I am sure after the Snowden event, many PHBs would start tossing around the "security" related jargons like they have tossed around "firewall" and "anti-virus" for a decade or so to gain brownie points at least. Hope you get the picture Of course I must congratulate Dhanashekar for bringing the serious subject of security and that too security in depth. Thank you again, Dhanashekhar for bringing up this topic and Thanks Arun for pointing out Regards, Rajagopal _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ILUGC Mailing List Guidelines: http://ilugc.in/mailinglist-guidelines
